eRecognition: authentication and authorisation for legal entities (eRec)

Published on: 04/04/2011
Document

eRecognition enables businesses to arrange their affairs with government bodies electronically by maximising public-private cooperation. A unique characteristic of eRecognition is that accredited private sector providers issue proven e-identity, authentication and authorisation solutions to businesses and authorities.  

Formerly, government organisations used a variety of parallel authentication and authorisation solutions, resulting in a multiple set of digital keys and causing poor user experience. The ensuing weak user adoption stunted the growth of eBusiness and eGovernment. eRecognition has turned this 'vicious circle' into a 'virtuous circle': each business is issued with a single e-Identity (EID) token that can be used for various government services. Thus, the multiple set of digital keys is replaced with one digital 'master key'. This will accelerate adoption, since user habits are formed by reusing the same authentication mechanism for various online services.

In creating eRecognition, we have redefined eAuthentication into a service model with its own business case, making it attractive for private EID providers to co-develop and exploit eIdentification. Accredited EID providers work together within the governance organisation. They may assume one or more of four roles:

1. Issuer of eIdentification tokens

2. Authentication service provider

3. Mandate register

4. (e)Recognition broker

The public sector is the 'launching customer' of eRecognition.

Both the public sector and businesses can choose which provider they want to call in for their eRecognition needs. Thus, the EID providers cooperate and compete at the same time, guaranteeing continuous development and quality.

When a legal (or designated) representative of a business logs on to the website of a government organisation he (or she) uses the EID token (e.g. user name/password, texting, bank card, phone, one time password (OPT), or public key certificate) issued by the EID service provider of his (or her) choice. Behind the scenes, authentication and authorisation at the relevant assurance level are carried out according to the policies set by the eRecognition governance organisation: an accredited eRecognition broker with access to an authentication service and an authorisation register identifies the person who logs on, the company he represents and checks his authorisation for the case in point. After logging on successfully, the representative can submit his application and the government organisation can be sure it is genuine. Depending on the type of government service, eRecognition supports four assurance levels, which are based on the STORK classification. Other international standards like SAML are used for the secure messaging.  

This has resulted in the response and interest from a vast amount of commercial parties, including the most important banks, Telco's, software developers, and eIdentity experts. Under the guidance of the Ministry, an initial group of ten private sector organisations has now formed the eRecognition network. Currently, the use of eRecognition in the Netherlands focuses on business-to-government. Since eRecognition was launched in May 2010, an increasing number of Netherlands government organisations have become convinced of its benefits. At the same time, the number of businesses using eRecognition is increasing too. By February 2011, transactions with eRecognition amounted to thousands per month.

Likewise, eRecognition offers scope for future expansion. New functions like machine-to-machine and eSignatures have been envisaged. Also, its use may be expanded to government-to-government and business-to-business. There are opportunities for international use in an EU environment as well.

Policy Context

eRecognition is an initiative of the Dutch Ministry of Economic Affairs, Agriculture and Innovation, which has commissioned experts and private suppliers to develop a robust network solution for authentication and authorisation issues, by reusing tried and tested tokens and tools. The Dutch Ministry of Economic Affairs, Agriculture and Innovation initiated eRecognition in order to enhance administrative efficiency and stimulate reduction of administrative burdens for businesses.

As the successor of DigiD for businesses, eRecognition is one of the building blocks of the Dutch National Implementation Programme (NUP), a joint priorities programme of municipal and provincial authorities, regional water boards and central government. This programme sets out to provide excellent (e-)services to business and citizens, one of the primary goals of the Netherlands administration. To achieve this goal, e-government services need to be accessible and reliable.

Therefore, the ministry has invited commercial experts to become involved in the development of a robust e-solution for authentication and authorisation, and to reuse e-identification tokens and tools that have proven their worth in the commercial market. A considerable number of commercial parties have shown their interest by responding and participating, including major banks, Telco's, software developers and e-identity experts.

Subsequently, an initial group of ten public sector organisations, under the direction of the ministry, has formed the eRecognition network. Other parties are invited to participate in the network once they are accredited to offer eRecognition services.

Governance is currently supervised by the ministry and a provisional management organisation is installed.

With the Internet playing an ever increasing role in conducting business (whether or not in the public or commercial domain), the means to sufficiently identify oneself is a prerequisite for the further development of e-business and e-government. The e-identity scheme offered by eRecognition is a major step towards fulfilling this goal.

Last but not least, eRecognition offers a significant contribution to the implementation of cross-border electronic services within Europe, as initiated by the EU Services Directive. 

Description of target users and groups

The main target groups of users find themselves in both the public sector and the business sector.

Users in the public sector are (employees of) government services providers who receive and process applications submitted by the representatives of businesses and other legal entities.

Users in the business sector are legal (or appointed) representatives of a business. Their authorisation levels are relevant to their positions and activities. These authorisation levels are registered.

Description of the way to implement the initiative

Instead of looking at identity verification as a type of service, or a security problem, we regard it as a mutually beneficent two-sided network between administrations and users: one side of the network benefits from the growth of the other side of the network.

Within the network, we define two domains: a 'cooperative domain' and a 'competitive domain'. The cooperative domain is the minimal set of agreements for parties to cooperate in the areas of infrastructure, applications and business.

The competitive domain is part of the market where market parties compete within the framework of the set of agreements established in de cooperative domain.

Four roles at the heart

Within this network four roles have been distinguished: the user (business and user), the public eService (government) and their respective service-providing roles; the token issuer and the broker.

The 4-party model connects existing means of authentication or keys (e.g. cards, mobile phones, tokens, passwords) to eService Providers. The user (and is registered in the Mandate register and, through the Authentication service a reliable and fast verification of this user can be accomplished.
The roles of 'token issuer', 'authorisation register' and 'authentication service' can be executed by multiple commercial parties. All parties are to connect to each other. Therefore, both the public service and the company only need a contract and connection to a single provider of their choice.

  1. Broker. This role is completely dedicated to the public service. It is the interface through which the public service 'talks' with the eRecognition network. The public service asks the network for an identification (a Chamber of Commerce reference) through the broker. The online user is then redirected to his authentication provider of choice.
  2. Mandate register. This register stores all authorisations of a person on behalf of the company. The authorisations can only be created and maintained by an authorised person of that particular business. In the case of small businesses this is usually the owner.
  3. Authentication service. This role makes the authentication tokens available in the network in real time.
  4. Token issuer. The issuers provide authentication tokens (texting, OTP, certificates, user name/password) to businesses and their users.

Scheme

Image removed.

Figure 1: Four-party model for identity services

Note: The roles of 'token issuer', 'mandate register' and 'authentication service' are all related to service provision towards the user ('Company and user' in the scheme) and are seen as one role when we mention 'four-party model'.

 

The access criteria for private players for each role are also defined. The governance of this set of agreements (also known as 'scheme') is organised collectively and is supervised by the Ministry during the current phase of further development and implementation. Eventually, governance will be assigned to an independent party.

 

The four-party network model for e-identity leads to an 'inclusive approach' offering a place for all existing and new players in this market. Collaborating parties do not compete on infrastructure, but only on the provision of services according to the roles in the model. This is opposed to the current 'exclusive approach' where existing solutions compete for both users and relying parties, which leads to a suboptimal market structure and limited growth.

 

The history of four-party models in other industries (credit cards, payments, the Internet) shows us that this approach is very scalable and therefore can take up rapidly. Next to their role of 'launching customer', governments can play a facilitating role. This enables the government to ensure complex issues like

privacy and liability, while the market has to provide the available knowledge and means to create a solution that works.

 

Several large public organisations are already involved as early adapters in the development of eRecognition. They also stimulate their 'customers' (businesses and public sector organisations) to use eRecognition. A temporarily free token-service is offered as an extra incentive to migrate legal entities towards eRecognition and has already drawn thousands of users.

In 2011, eRecognition will be consolidated further and be implemented on a larger scale by more government organisations.

Technology solution

  • SAML 2.0 and XACML internally in the network
  • SAML 2.0 on the interface Broker - eService provider
  • Four levels of trust based on STORK assurance levels for authentication

In principle, eService Providers can connect with more than one Routing Service. This opportunity can be of interest for a number of reasons, such as the distribution of risk (redundancy) and fee optimisation through competition.

Technology choice: Mainly (or only) open standards

Main results, benefits and impacts

The advantages of eRecognition are plentiful:

Benefits for the public sector:

  • eRecognition maximally exploits the performance of solutions in the market by creating a business network of providers of available e-identity solutions in the private market. By (re)using already available solutions, authentication and authorisation are outsourced to the commercial market. This improves and stimulates the development of public e-services.
  • The accessibility and reliability of these services will continue to be improved and thus become more attractive and more frequently used. Consequently, government organisations can expect an increasing number of users of their e-services. E-government services will really take off once citizens can reuse authentication mechanisms they already have (e.g. for online banking and e-commerce).
  • The public sector sets the requirements and can select a standardised solution -with multilevel assurance - from competing providers.
  • Government organisations can choose their preferred eRecognition supplier.
  • Users of electronic services can reuse their eRecognition identity at multiple electronic public services.
  • Government organisations can set the assurance level of their particular services provision.
  • With a single connection to the eRecognition network a government services provider gains access to all eRecognition tools and authorisations that have been made available in the network.

Benefits for the business sector:

  • Businesses can choose their preferred eRecognition supplier.
  • Only accredited suppliers can offer eRecognition services, which enhances reliability.
  • A single set of credentials for identification at all public e-services (instead of several identification tools).
  • Specific authorisation for employees and/or positions, according to the set assurance level.
  • The possibility to authorise a third party to conduct e-business on behalf of the company.
  • Registration of all representatives and employees whom the business authorises.
  • Digital interaction with the public sector 24/7 is more efficient and less time-consuming than the analogical alternative.

Benefits on a European scale:

  • The delivery of cross-border services and the stimulation of mobility for citizens and businesses once eRecognition will become interoperable with other national e-Identity solutions.
  • eRecognition will offer a significant contribution to the implementation of cross-border electronic services within Europe, as initiated by the Services Directive.

Return on investment

Return on investment: Not applicable / Not available

Track record of sharing

eRecognition makes use of tools and devices that have already proven their worth in the private sector. Furthermore, deploying private sector providers ensures continuous improvement and fine-tuning of those tools and devices, since the market parties seek to maintain or enhance their competitive position. In turn the developments within eRecognition can be rolled out to other domains, such as B2B, G2G, eSignature, B2G on a European scale and so on.

In the Netherlands best practices related to eRecognition are regularly discussed among market parties and government agencies.

eRecognition is an open network for (international) private organisations that choose to adhere to the requirement for trust, resilience and service set by the governing rules of eRecognition. eRecognition is designed for European interoperability, since any party can apply, irrespective of the country.

Moreover, eRecognition can be replicated in other countries with local market parties and has been designed to become interoperable between countries.

Lessons learnt

1. Starting small with not too much technical complexity and build on the successful implementation of it was very successful. The reduction of complexity was done on two sides: Involving three large government agencies as launching customer to the development of the agreements scheme; and starting with solving just the authentication with basic authorisation. This approach was different from the much used approach where the solution had to fit all government agencies right away and the solution had to fit in many functions and technical challenges. In this way eRecognition was on target with planning and costs.

2. Despite their differences and competition private parties are willing to cooperate in order to establish a robust eID system for businesses. A good catalyst for this was putting them in a pressure cooker and having the persons with authority managing the process. In fact the solution thus found is based on state-of-the-art technology and it can be doubted whether a government-built solution would have been of the same quality, scalability and cost-effectiveness.

3. The devil is in the detail. In the weeks before the start of the pilot a lot of technical issues had to be solved to make the process work, despite the fact that the standards and technical implementation requirements were clear to everybody. So take well enough time for the implementation phase before starting a pilot.

Scope: Local (city or municipality), National, Regional (sub-national)